AppSec Blog

What's in Your iOS Image Cache?

Backgrounding and Snapshots In iOS when an application moves to the background the system takes a screen shot of the application's main window. This screen shot is used to animate transitions when the app is reopened. For example, pressing the home button while using the logon screen of the Chase App results in the following … Continue reading What's in Your iOS Image Cache?


Spot the Vuln - Sleep - SMTP Command Injection

Details Affected Software: PunBB Fixed in Version: 1.3.2 Issue Type: SMTP Command Injection Original Code: Found Here Description Interesting bug here. In 2008, Stefan Esser reported a bug to the PunBB team which described a SMTP command injection vulnerability. If we look at the code below, we see that PunBB opens a socket connection to … Continue reading Spot the Vuln - Sleep - SMTP Command Injection


Spot the Vuln - Sleep

It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it. - John Steinbeck Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications. Every Monday morning a vulnerable code snippet is posted. … Continue reading Spot the Vuln - Sleep


Secure Coding iPhone and iPad Apps Against MiTM

This is a guest post from security researcher Nitesh Dhanjani. Nitesh will be giving a talk on "Hacking and Securing Next Generation iPhone and iPad Apps" at SANS AppSec 2011. Many iOS applications use HTTP to connect to server side resources. To protect user-data from being eavesdropped, iOS applications often use SSL to encrypt their … Continue reading Secure Coding iPhone and iPad Apps Against MiTM


Spot the Vuln - Banks - Cross Site Scripting

Details Affected Software: PunBB Fixed in Version: 1.3 Issue Type: Cross Site Scripting (XSS) Original Code: Found Here Description Passwords, passwords, passwords. For some reason, developers sometimes assume passwords values are safe and do not need encoding. In this example, the developers chose to encode username values (line 87) however, they assumed password values would … Continue reading Spot the Vuln - Banks - Cross Site Scripting